Mining Jim Joy guest blogs
ComplianceESGApril 09, 2019

A Mining Guest Blog Series by Jim Joy – Part 7: Overview of critical control management and a few of its challenges


Welcome to the 7th article in the series covering Operational Risk Management (ORM) in the mining industry.

Earlier articles attempted to set a foundation of terms and concepts to help understand the ORM journey, as well as to help a site identify its current position on the journey.

Figure 1 - The operational risk management journey

This article will start to discuss Critical Control Management (CCM), outlined in two ICMM publications available on their website ( ICMM initiated requests for services to writing these publications in 2013 and 2014. The initial guide was written based on detailed survey and interview information from most ICMM companies, several of whom had advanced toward CCM. As such, CCM is an industry defined approach to managing H&S risks.

CCM involves a greatly improved alignment of risk management methods with effective management practice. Currently, ORM can be undertaken with limited connection to the ‘check and act’ parts of the PDCA management process. Companies involved in CCM describe an example issue with Risk Registers that often include long lists of potential events and some controls but provide limited management value.

The illustration below shows the CCM process. There are nine steps, six of which are required to plan the CCM programme before implementation in the last three steps. The steps are presented in a PDCA style loop, recognizing the need to learn from the process and the results to continually improve CCM.

Figure 2 - The CCM process (reproduced from ICMM, 2015) with output of step 3 added: Control-based Risk Management (CBRM).

The CCM process outlined in the ICMM Resources provides detailed step-by-step guidance. This guidance will not be repeated in this series of articles. Detailed understanding of the above process should be acquired by reading the ICMM documents. After two or more years of application, some of the challenges of this approach have been identified. This and the following articles will discuss a few of the challenges.

Challenge 1 – Incomplete step 3 before proceeding to step 4

This challenge is the most significant observation from the past two years. Some companies and sites have moved rapidly toward CCM without establishing that their overall control strategy is in place and functioning well for the priority of unwanted events (PUEs). Note that the ICMM document uses the term ‘material unwanted event’ which this article considers being synonymous with PUE.

Experienced mining people in the many workshops that introduced the ICMM CCM guide often expressed concerns. Individuals asked how only a few controls can be selected to manage a PUE. What about the other controls? Are they no longer important? I admit that at the time the provided answers weren’t adequate. More emphasis should have been put on the importance of successful, FULL completion of step 3, including a better image of a specific target outcome. The term, Control-Based Risk Management, has been derived in this series of articles to describe this fully completed outcome for step 3.

The published ICMM Guide states the Key Actions for step 3 as :

  1. Identify the controls
  2. Prepare a bowtie diagram
  3. Assess the adequacy of the bowtie and the controls

Experience seems to indicate that these steps are often completed in a single Bowtie Analysis (BTA) exercise for a selected PUE, possibly identifying new or improved controls. However, the results of the BTA have little impact on the effectiveness of the overall control strategy because they are not integrated into an effective control management approach. Sometimes the same exercise also includes a selection of the critical controls. As such, the team creates an image of the controls for an event and only briefly, if at all, discusses their current effectiveness, finally deciding which controls in the BTA are critical based on selection criteria.

Considering this observation, the questions in the various ICMM workshops may be well justified. Experienced site personnel may recognize that the overall control strategy for a PUE is not effectively in place so selecting a few controls to verify acceptable risk may be ill-advised, possibly increasing the risk.

Suggested New Key Actions for Step 3

  1. Carefully define the PUE, including the initiating event that will be the basis (or knot) of the BTA.
  2. Apply a BTA method to identify and examine the current control strategy (Remember that a control must be an act, object or technological system – see article 3 for definitions)
  3. Critically examine the adequacy of the controls by discussing their effectiveness (How reliable is the control? Will it be present and working as intended when needed?), erosion factors (What factors currently erode the control’s effectiveness?) and supporting activities (What activities currently support the control so it is present and working as intended?). Note that the answers to these questions will also be important in the next two articles on selecting critical controls and determining verification processes.
  4. Identify ways to improve control effectiveness by reducing the erosion factors, optimizing supporting activities and other methods. Overall control effectiveness can also be improved by adding new controls. Remember that objects and technological systems are inherently more effective than acts.
  5. Define the planned overall control strategy from the finalized BTA by drafting the Action Plan for improvements and additions, and ensuring that the controls are integrated into relevant supporting activities such as work methods, training, engineering requirements, communication mechanisms, monitoring/auditing systems, etc.
    Successful achievement of these 5 actions in step 3 of the CCM process should define a CBRM approach for the sites PUEs.

Successful achievement of these 5 actions in step 3 of the CCM process should define a CBRM approach for the sites PUEs.

Challenge 2 – Inadequate planning for the CCM process (Step 1)

As mentioned in previous articles, the journey toward good CBRM and CCM may take many years. Planning for the entire CCM process, including the CBRM output of step 3, may be unrealistic for sites who recognize that their general focus on controls needs improvement.

Successful completion of step 3, including the establishment of effective CBRM, is a watershed for improving the control management focus of site ORM. Therefore, if the site needs to improve both methods and mindsets about controls (managing risk is all about controls) then planning should only consider the development of CBRM. In other words, planning that covers only step 2 and 3 of the CCM process. Once in place and effective, planning to move toward CCM from steps 4 through 9 will be much easier and the magnitude of the required work will be clearer.

The next article will address the selection of critical controls from the defined CBRM control strategies.

Other blog posts from this series

  1. Welcome & Introduction
  2. A short history of Australian mining ORM – one perspective
  3. Key words and concepts in ORM – getting the conversations and thinking consistent
  4. Making the argument – risk is all about controls and their Effectiveness
  5. Good practice Operational Risk Management
  6. It’s a Journey – using journey models to analyse and plan ORM improvements
  7. Overview of critical control management and a few of its challenges
  8. Identifying critical controls
  9. Considering ‘acts’ as critical controls and the challenge of their measurability
  10. Challenging critical performance requirements
  11. Evolving operational risk management in the mining industry
  12. Linking the Critical Control performance requirements to the design of the verification process
  13. Defining accountabilities and the reporting process
  14. Continuous improvement and learning opportunities with Critical Control Management

© Jim Joy. 2019 – The copyright of the content of this guest blog belongs to Jim Joy who has authorized CGE Risk Management Solutions B.V. to provide this content on its website.

Back To Top